What are pgp signatures for?
Signatures take the body of the email (or at least the parts between two markers like —— PGP BEING —— and —— PGP END ——) and generates a hash of the content. Most hashing functions take a large amount of data and produce a fixed size value of it; and given the same data will always produce the same fixed sized value. Examples of hashing functions that you might recognize (but are not necessarily used in PGP signed emails): MD5, SHA-1, SHA-2, etc. Then PGP takes this hash value and encrypts it with your private key. This is the signature. The recipient, if they wish to validate that the message both (a) has not changed and (b) is from the person it says it is from, follows these steps: 1) Take the body of the email and hash it using the same hash function. 2) Take the encrypted hash in the message and decrypt it using the person’s public key. 3) Compare the value from (1) to the value from (2). If the message is no
When people attach a “pgp signature key” to their e-mails PGP keys and PGP signatures are totally different things, don’t confuse the two. They do look similar (a block of base64 with —– lines above and below). If someone attaches a key, that’s just a convenience— they’re saying, “hey, here’s a key, you can use it to communicate with me”— but it’s kind of pointlessly verbose. Most people will just include a key fingerprint or key ID (a much shorter string of digits) and you can get the key from a keyserver based off that. OTOH, if someone signs a message then, if you verify that message you can confirm that it was written by someone who had access to the corresponding key. (If you just copy-and-paste the signature, it won’t verify any more. If you don’t verify the signature, then PGP is doing nobody any good.) Ideally, the only person who has the secret key is the person you think you’re talking to. This leads to the most complicated part of any verification system— that seems to su
